b'March 2007\nReport No. 07-009\n\n\nFDIC\xe2\x80\x99s Contract Planning and\nManagement for Business Continuity\n\n\n\n\n              AUDIT REPORT\n\x0c                                                                                     Report No. 07-009\n                                                                                          March 2007\n                                    FDIC\xe2\x80\x99s Contract Planning and Management for\n                                    Business Continuity\n                                    Results of Audit\n\n                                    The FDIC has planned to ensure contract services are provided in the\nBackground and Objective of         event of an emergency and is continuing to improve contract\nthe Audit                           management for business continuity. The FDIC has identified most\n                                    essential contracts for business continuity purposes and modified\nThe Federal Emergency               many of those contracts to include emergency preparedness clauses.\nManagement Agency issued            Also, the FDIC has a process to update its list of essential contracts in\nFederal Preparedness Circular 65    the BCP annually. The FDIC could further improve its contract\n(FPC 65), providing guidance for\n                                    planning and management for business continuity by:\nagencies to use in developing\ncontinuity of operations plans.\nThe FDIC\xe2\x80\x99s Emergency                    \xe2\x80\xa2   enhancing BCP procedures and the Business Impact Analysis\nPreparedness Program                        questionnaire to require documentation of all essential\nestablishes the FDIC\xe2\x80\x99s business             contracts, including detailed information about each contract;\ncontinuity policy and requires          \xe2\x80\xa2   requiring program offices to include emergency preparedness\nBusiness Continuity Plans (BCP)             clauses in the Statement of Work for essential contracts and\nto be established in the FDIC\xe2\x80\x99s             subcontracts to ensure that business continuity is considered in\nWashington Area Headquarters                the procurement process; and\nOffices and in each of the\n                                        \xe2\x80\xa2   amending acquisition policy and procedures and BCP policy\nregional offices. The BCPs\ninclude procedures for relocating           to require that essential contractors (a) have emergency plans\nessential personnel; resuming               for providing services to the FDIC in the event of a disruption\nand restoring FDIC critical                 of normal operations and (b) participate in the FDIC\xe2\x80\x99s\nbusiness processes; and                     business continuity testing, training, and exercise activities.\nrecovering and reconstituting\nsupporting information              Additional guidance in the FDIC\xe2\x80\x99s Acquisition Policy Manual and\ntechnology systems. Identifying     BCP policy and procedures would help to ensure that contractor\nessential contracts and ensuring    activities are fully integrated into FDIC business continuity planning\nthat contracts provide for          to enhance the FDIC\xe2\x80\x99s readiness to continue essential operations in\nservices in the event of a BCP      emergency situations.\nscenario are critical to FDIC\noperations.\n                                    Recommendations and Management Response\nThe objective of this audit was\nto determine whether the FDIC       We made three recommendations to strengthen the FDIC\xe2\x80\x99s contract\nhas planned for essential           planning and management for business continuity. DOA concurred\ncontract services to be provided    with our recommendations and has completed corrective actions.\nin the event of an emergency\nthat requires implementation of\nthe FDIC\xe2\x80\x99s BCP.\n\n\n\nTo view the full report, go to\nwww.fdicig.gov/2007reports.asp\n\x0c                                TABLE OF CONTENTS\n\n\nBACKGROUND                                              1\n\n     FDIC Emergency Preparedness                        2\n\n     Business Impact Analysis                           2\n\n     Business Continuity Planning                       3\n\n     BCP Testing, Training, and Exercise                4\n\nRESULTS OF AUDIT                                        5\n\nBUSINESS IMPACT ANALYSIS                                6\n\n     Use of Emergency Preparedness Clauses              6\n\n     Recommendation                                     7\n\nBUSINESS CONTINUITY PLANNING                            7\n\n     Contracting Procedures for Essential Services      7\n\n     Contracting Procedures for Subcontractors          9\n\n     Recommendation                                     9\n\nBCP PROCEDURES FOR CONTRACTOR TESTING, TRAINING, AND   10\nEXERCISES\n\n     Testing, Training, and Exercises                  10\n\n     Recommendation                                    11\n\nCORPORATION COMMENTS AND OIG EVALUATION                11\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY          13\nAPPENDIX II: CORPORATION COMMENTS                      15\nAPPENDIX III: MANAGEMENT RESPONSE TO RECOMMENDATIONS   18\n\nTABLE\nSummary of Results of Audit                             5\n\x0cACRONYMS\n\nAPM        Acquisition Policy Manual\nASB        Acquisition Services Branch\nBCP        Business Continuity Plan\nBIA        Business Impact Analysis\nCOOP       Continuity of Operations Plan\nDOA        Division of Administration\nDIT        Division of Information Technology\nEPP        Emergency Preparedness Program\nERP        Emergency Response Plan\nFEMA       Federal Emergency Management Agency\nFFIEC      Federal Financial Institutions Examination Council\nFPC        Federal Preparedness Circular\nGSA        General Services Administration\nGPRA       Government Performance and Results Act\nISC        Infrastructure Services Contract\nIT         Information Technology\nITAS       Information Technology Applications Systems\nNIST       National Institute of Standards and Technology\nOIG        Office of Inspector General\nSEPS       Security and Emergency Preparedness Section\nSRA        SRA International, Inc.\n\x0cFederal Deposit Insurance Corporation                                                                   Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                                    Office of Inspector General\n\n\n\nDATE:                                     March 30, 2007\n\nMEMORANDUM TO:                            Arleas Upton Kea, Director\n                                          Division of Administration\n\n\n                                          /Signed/\nFROM:                                     Russell A. Rau\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  FDIC\xe2\x80\x99s Contract Planning and Management for Business\n                                          Continuity (Report No. 07-009)\n\nThis report presents the results of our audit of the FDIC\xe2\x80\x99s Contract Planning and Management\nfor Business Continuity. As of December 31, 2006, the FDIC had eight contracts valued at more\nthan $800 million that were deemed essential to its critical business processes. The objective of\nthis audit was to determine whether the FDIC has planned for essential contract services to be\nprovided in the event of an emergency that requires the implementation of the FDIC\xe2\x80\x99s Business\nContinuity Plan (BCP).1 Additional details on our objective, scope, and methodology are\nprovided in Appendix I.\n\nBACKGROUND\nIn June 2004, the Federal Emergency                                    Elements of a Viable COOP Capability\nManagement Agency (FEMA) revised Federal\nPreparedness Circular (FPC) 65, Federal                                    \xe2\x80\xa2    Essential Functions\nExecutive Branch Continuity of Operations,2 to                             \xe2\x80\xa2    Plans and Procedures\nassist Federal Executive Branch departments,                               \xe2\x80\xa2    Orders of Succession\nagencies and independent organizations in                                  \xe2\x80\xa2    Delegations of Authority\ndeveloping contingency plans and programs for                              \xe2\x80\xa2    Alternate Facilities\n                                                                           \xe2\x80\xa2    Redundant Emergency\nthe continuity of operations (COOP)3 and to\n                                                                                Communications\nidentify elements of a viable COOP capability.\n                                                                           \xe2\x80\xa2    Vital Records\n                                                                           \xe2\x80\xa2    Testing, Training, and Exercises\nFPC 65 states that COOP planning includes the\nactivities of individual departments and agencies and                  Source: FPC 65.\ntheir subcomponents to ensure that their essential\nfunctions are performed during any emergency or\n\n\n1\n  The FDIC\xe2\x80\x99s contract planning and management for business continuity was also addressed in a previous FDIC\nOffice of Inspector General (OIG) report, FDIC\xe2\x80\x99s Business Continuity Plan (Report No. 04-029, dated August 9,\n2004), which discusses the OIG\xe2\x80\x99s assessment of the FDIC\xe2\x80\x99s BCP against 14 key elements of business continuity\nplanning.\n2\n  The FDIC has determined that FPC 65 contains guidance, not legally binding requirements, for the FDIC.\n3\n  The terms COOP and BCP are generally considered synonymous.\n\x0csituation that may disrupt normal operations. FPC 65 further states that COOP planning (1) is\npart of the fundamental mission of federal agencies as responsible and reliable public institutions\nand (2) requires a comprehensive program to ensure the continuity of essential federal functions.\n\nFDIC Emergency Preparedness\n\nFDIC Circular 1500.5, FDIC Emergency Preparedness Program, dated January 30, 2007, serves\nas the official policy for FDIC Headquarters and regional offices in developing, implementing,\nand maintaining an FDIC Emergency Preparedness Program (EPP) to safeguard personnel and\ncontinue critical business processes during emergencies. The circular was updated during our\naudit, and the OIG provided comments during the revision process. FDIC Circular 1500.5 states\nthat the EPP supports emergency preparedness planning guidance as outlined in FPC 65, as well\nas industry-recognized emergency preparedness best practices. Three components comprise the\nEPP: the Emergency Response Plan (ERP), a BCP, and any other plans necessary to prepare for\nan emergency. The ERP documents the procedures and structure for a coordinated response to\nan emergency and focuses on mitigating injuries and loss of life to FDIC personnel, contractors,\nand visitors at FDIC locations. The BCP documents the procedures for relocating essential\npersonnel; resuming and restoring FDIC critical business processes; and recovering and\nreconstituting supporting information technology (IT) systems. The BCP is composed of\nindividual division and office continuity plans, which identify critical business functions; how\nsoon those functions must be operational in emergency situations; and the personnel, equipment,\nand systems resources needed to operate those functions during an emergency. The FDIC\nupdates its BCP annually, as discussed below.\n\nBusiness Impact Analysis                                          Business Impact Analysis Objectives\n\nFPC 65 provides that planning requirements for a viable                \xe2\x80\xa2    Identifying and prioritizing\nCOOP capability must include the development,                               essential functions, business\nmaintenance, and annual review of agency COOP                               processes, and mission-critical\ncapabilities using a multi-year strategy and program                        applications\nmanagement plan. The FDIC addresses this requirement in                \xe2\x80\xa2    Defining the criticality criteria\nthe EPP by requiring an annual Business Impact Analysis                \xe2\x80\xa2    Determining the disaster cost\n(BIA). The BIA is a tool that enables full characterization                 impact on business processes\nof system requirements, processes, and interdependencies               \xe2\x80\xa2    Identifying critical application\nto determine contingency requirements and priorities. The                   interdependencies\nBIA\xe2\x80\x99s purpose is to correlate specific system components               \xe2\x80\xa2    Defining recovery windows for\nwith the critical services they provide, and based on that                  critical applications\ninformation, to characterize the consequences of a\n                                                                  Source: FDIC Circular 1500.5.\ndisruption to the system components.\n\nDuring the BIA, critical business function requirements and critical IT applications are reviewed,\nvalidated, added, or removed. The Division of Administration (DOA) is responsible for\nconducting an annual BIA with the FDIC\xe2\x80\x99s divisions and offices. The BIA serves as the basis for\nupdating the corporate BCP and, as required, BCPs for the FDIC\xe2\x80\x99s divisions, offices, and regions.\n\n\n\n\n                                                 2\n\x0cEach year, the Directors of DOA and the Division of Information Technology (DIT) issue a\nBIA letter and BIA questionnaire to each FDIC division and office, informing them that BCPs\nwill be updated based on completion of the annual BIA. The BIA letter notifies the divisions\nthat DOA\xe2\x80\x99s Security and Emergency Preparedness Section (SEPS) and DIT security personnel\nwill be meeting with them to obtain updated information on their critical business functions and\nresources requirements to accomplish these critical functions.\n\nThe BIA questionnaire obtains information on the: resources, assets, and applications that are\ncritical to the divisions and offices and to the mission of the FDIC. During BIA meetings,\nSEPS and DIT personnel obtain additional detailed information on the functions the divisions\nand offices would require in an emergency, such as personnel, equipment, facilities, records,\nsystems, interdependencies, and essential contracts and points of contact. The divisions and\noffices return the completed questionnaires to SEPS and DIT which, together with the results of\nthe BIA meetings, are used in updating BCPs.\n\nBusiness Continuity Planning\n                                                              Key Elements of the FDIC\xe2\x80\x99s Business\nAccording to FDIC Circular 1500.5, the BCPs are               Continuity Plan\nthe components of the EPP that document the\nprocedures for relocating essential personnel,                     \xe2\x80\xa2    Continuity Roles and\nresuming and restoring FDIC critical business                           Responsibilities\nprocesses, and recovering and reconstituting                       \xe2\x80\xa2    Orders of Succession\nsupporting IT systems. The FDIC\xe2\x80\x99s division and                     \xe2\x80\xa2    Plan Activation Criteria\noffice Directors, Regional Directors, and                          \xe2\x80\xa2    Alert and Notification Procedures\nManagers are required to develop BCPs that can                     \xe2\x80\xa2    Alternate Operating Facility\nfacilitate the resumption of critical business                          Designation\nprocesses within 12 hours of plan activation and                   \xe2\x80\xa2    Prioritized list of Essential Functions\nare capable of sustaining operations for up to 30                  \xe2\x80\xa2    Identification of Key Contractors\ndays. These BCPs are included in the corporate                     \xe2\x80\xa2    Interoperable Emergency\nBCP. Each BCP must be reviewed by the                                   Communications\nAssistant Director, SEPS, for final approval by the                \xe2\x80\xa2    Training and Exercise Events\nFDIC Chairman or designee. The current                        Source: FDIC Circular 1500.5.\ncorporate BCP was revised during 2006 and was\nissued on February 12, 2007.\n\nThe Headquarters BCP has identified a primary and secondary alternate facility for critical\npersonnel if the FDIC Headquarters in Washington, D.C., is inaccessible or uninhabitable. Also,\neach regional office has a designated alternate worksite for relocating critical personnel if the\nvicinity surrounding a regional office becomes inaccessible or uninhabitable.\n\nIdentification of Essential Contracts. FDIC Circular 1500.5 states that BCPs should identify\nkey contractors needed to operate during an emergency. Such contractors provide essential\nservices in support of the FDIC\xe2\x80\x99s business processes. For example, the FDIC relies on\ncontractors to support its designated alternate locations in the event of an emergency. The FDIC\nconducted a review of contracts during 2005 to identify those considered essential for business\ncontinuity. Specifically, contracts for IT support and maintenance, security services, call center\n\n\n\n\n                                                3\n\x0coperations, fuel and facilities, shuttle services, cafeteria operations, and others were identified as\nessential. Once essential contracts had been identified, the FDIC\xe2\x80\x99s Legal Division worked with\nDOA\xe2\x80\x99s Acquisition Services Branch (ASB)4 to draft emergency preparedness clauses to be\nadded as modifications to the FDIC\xe2\x80\x99s essential contracts in accordance with the acquisition\nprocess outlined in the FDIC\xe2\x80\x99s Acquisition Policy Manual (APM),5 which governs contracting\nactivities. The list of essential contracts and emergency points of contact were then added to the\nFDIC\xe2\x80\x99s Headquarters BCP. The FDIC plans to use the annual BIA process to update the list of\nessential contracts used in BCPs. The Assistant Director, SEPS, stated that although SEPS is\nresponsible for preparing the corporate BCP, the divisions are responsible for determining those\ncontracts they consider essential and for ensuring that ASB adds contract clauses addressing\nbusiness continuity to the essential contracts.\n\n                                                                  BCP Testing, Training, and Exercise\n\n                                                      FPC 65 states that testing, training, and\n                                                      exercise are essential to demonstrating,\n            BIA                   BCP                 assessing, and improving the ability of\n                                                      agencies to execute their COOP plans.\n                                                      FDIC Circular 1500.5 identifies the linkage\n                        TESTING,                      of the processes for BIAs; BCPs; and\n                        TRAINING, &                   testing, training, and exercise designed to\n                        EXERCISE                      maintain a viable emergency response\n                                                      capability. The BCPs at FDIC\n  Source: OIG Analysis.                               Headquarters and the regional offices are\ntested annually through table-top6 and situation room7 exercises to validate information in the\nBCP. Lessons learned from these exercises are then incorporated into the plans accordingly.\n\nIn addition, Headquarters and the regional office staff plan to participate in local exercises\nsponsored by various agencies, including the FEMA and the Federal Executive Councils located\nin major U.S. cities. SEPS advised us that it does not perform testing of essential contractor\nemergency response activities, and such testing is not currently required by the FDIC\xe2\x80\x99s Circular\n1500.5. However, SEPS is responsible for the Security Guard contract, which supports all\ncorporate components and has verified that the contractor has a plan that will provide guards in\nan emergency situation.\n\n\n\n4\n  ASB is responsible for fulfilling the FDIC\xe2\x80\x99s procurement responsibilities, including issuing policies and\nprocedures governing contracts for goods and services.\n5\n  The APM establishes an updated set of policies and procedures for: (a) procuring goods and services on behalf of\nthe Corporation in its corporate, receivership, and conservatorship capacities; and (b) identifying roles and\nresponsibilities for all FDIC employees involved in the pre-solicitation, solicitation, proposal evaluation, award, and\ncontract administration phases of the procurement process.\n6\n  Table-top exercises involve a test moderator setting forth a disaster scenario and the various recovery teams\nwalking through their documented tasks in responding to the particular situation with an eye toward correcting any\nshortcomings in either the strategy or planned response.\n7\n  Situation room exercises include table-top exercises and engage some or all of the recovery strategy such as\nrouting actual telecommunications traffic to the alternate facility.\n\n\n\n                                                           4\n\x0cRESULTS OF AUDIT\n\nThe FDIC has planned for essential contract services to be provided in the event of an emergency\nthat requires implementation of the FDIC\xe2\x80\x99s corporate BCP. The FDIC established a process for\nperforming BIAs; business continuity planning; and testing, training, and exercise activities that\nconsiders essential contract services. Also, the FDIC has identified most of its essential contracts\nfor business continuity purposes and modified many of those contracts to include emergency\npreparedness clauses and plans to update FDIC essential contracts during the Corporation\xe2\x80\x99s 2007\nBIA process. However, as summarized in the table below, the FDIC could further improve its\ncontract planning and management for business continuity by including additional controls in the\nFDIC\xe2\x80\x99s EPP and APM related to essential contractors and subcontractors. These improvements\nwill help to ensure that essential contractors are more fully integrated into the FDIC\xe2\x80\x99s business\ncontinuity activities to provide services in emergency situations.\n\nSummary of Results of Audit\n\nFDIC Process                     FDIC Procedures for Essential Contractors           Improvement Needed\nBusiness Impact Analysis         Essential functions are reviewed and updated        The BIA questionnaire does not\n                                 during the annual BIA process.                      solicit key information on\n                                                                                     essential contractors and\n                                                                                     subcontractors.\nBusiness Continuity              Emergency preparedness clauses are included in      The APM does not include a\nPlanning                         essential contracts.                                requirement for contracts to be\n                                                                                     evaluated to determine whether\n                                                                                     emergency preparedness clauses\n                                                                                     should be included for prime\n                                                                                     contractors and subcontractors\n                                                                                     during preparation of the contract\n                                                                                     Statements of Work.\nTesting, Training, and           The EPP requires regularly-scheduled training       Essential contractors are not\nExercise                         and exercise events such as table-top and           required to submit their\n                                 functional exercises and personnel recall roster    emergency plans for FDIC\n                                 tests.*                                             functions for review and\n                                                                                     incorporation, as appropriate, into\n                                                                                     the FDIC\xe2\x80\x99s BCPs.\n\n                                                                                      Essential contractors do not\n                                                                                      participate in FDIC BCP testing,\n                                                                                      training, and exercises.\n* Recall rosters list essential FDIC senior management and personnel who are notified by electronic means to report\nto a designated location in the event of an emergency or implementation of the FDIC\xe2\x80\x99s BCP.\n\n\n\n\n                                                         5\n\x0cBUSINESS IMPACT ANALYSIS\n\nAlthough SEPS and DIT have identified most of the FDIC\xe2\x80\x99s essential contracts, the current BIA\nquestionnaire does not solicit key information on these contracts. The FDIC\xe2\x80\x99s EPP was revised\nin January 2007 to include procedures for identifying essential contractors. However, the\nprocedures for conducting the BIA, dated November 19, 2003, do not contain provisions dealing\nwith essential contractors\xe2\x80\x99 support such as contractor emergency plans; essential subcontracts;\nand testing, training, and exercise requirements. As a result, the FDIC\xe2\x80\x99s BIA process may not\nfully document or consider information that can be useful in planning for essential contract\nservices in an emergency.\n\nUse of Emergency Preparedness Clauses\n\nFDIC Circular 1500.5 focuses attention on business continuity planning as the means for\nresuming and restoring critical business processes during an emergency. The FDIC uses the BIA\nto make annual updates to the BCPs. The FDIC relies extensively on contractors; therefore,\ncontractor support is a key component of the BIA and business continuity planning.\n\nWe also reviewed the best practices for financial institutions as described in the Federal\nFinancial Institutions Examination Council (FFIEC) Business Continuity Planning IT\nExamination Handbook, issued in March 2003. The FFIEC provides guidance to financial\ninstitutions and examiners on evaluating financial institution and service provider risk\nmanagement processes, including guidance on conducting the BIA. The focus is on business\ncontinuity planning, whereby financial institutions ensure the maintenance or recovery of\noperations when confronted with adverse events, such as natural disasters, technological failures,\nhuman error, or terrorism.\n\nThe FFIEC recommends that financial institutions ensure that key contractors/service providers\nare identified and backup arrangements are stipulated in contracts for services. The FFIEC also\nrecommends that the BIA should solicit the critical outsourced relationships and dependencies\nand that each department should document the mission-critical functions performed by these\noutsourced relationships. Further, the FFIEC recommends that personnel responsible for the\nBIA consider developing uniform interview and inventory questions that can be used on an\nenterprise-wide basis. Uniformity can improve the consistency of responses and help personnel\ninvolved in the BIA phase to compare and evaluate business process requirements. The FFIEC\nhandbook indicates that the BIA should solicit the critical outsourced relationships and\ndependencies.\n\nThe SEPS and DIT personnel who conducted the BIA provided us with a detailed description of\nthe process and told us that although the BIA procedures and questionnaire do not include\nquestions on essential contracts, SEPS and DIT plan to discuss essential contracts during their\nBIA meetings with the divisions and offices. SEPS stated that the name of the contract and the\ncontractor key points of contact are included in the BCP.\n\nTo help ensure that critical information on essential contractors is obtained during the BIA and a\nstandard procedure is used for updating essential contractor information in the BCP, the FDIC\xe2\x80\x99s\n\n\n\n\n                                                6\n\x0cpolicy and procedures for conducting the BIA and the BIA questionnaire could be amended to\nsolicit additional information about essential contracts such as:\n\n\xe2\x80\xa2     the purpose of the contract;\n\xe2\x80\xa2     how the contractor may need to alter operations for the FDIC in an emergency;\n\xe2\x80\xa2     the critical services required from contractor personnel and potential disaster cost impact;\n\xe2\x80\xa2     the timeframes during which the services would be required and system recovery windows;\n\xe2\x80\xa2     whether the contractor is required to have an emergency plan that addresses FDIC activities\n      and to submit the plan to the FDIC for review;\n\xe2\x80\xa2     whether the contract includes an emergency preparedness clause;\n\xe2\x80\xa2     essential subcontracts; and\n\xe2\x80\xa2     testing, training, and exercise requirements for the contractors\xe2\x80\x99 support provided to the FDIC.\n\nObtaining responses to these questions and others determined to be important in the BIA\nquestionnaire would result in more complete information for the FDIC\xe2\x80\x99s business planning\nactivities, consistency and uniformity in information obtained, and assistance to program\nmanagers in identifying essential contracts and subcontracts. This information would also\nfacilitate the consideration of contractor support in testing, training, and exercise activities.\n\nRecommendation\n\n(1)      We recommend that the Director, DOA, amend, as appropriate, the BIA procedures and\n         questionnaire for obtaining additional information on essential contracts and for using the\n         contractor-related responses in the BCP.\n\nBUSINESS CONTINUITY PLANNING\n\nThe FDIC could improve its contract planning for business continuity to ensure all essential\ncontractors and subcontractors are required to provide services for the FDIC in an emergency.\nThe EPP includes requirements for the identification of essential contractors needed to operate\nduring an emergency. However, APM contracting procedures do not require that program\nofficials determine whether a contract is essential for business continuity when preparing a\nStatement of Work for the contract. In 2005, DOA completed a review of essential contracts and\nmodified them to include an emergency preparedness clause. However, contracts awarded since\nthe DOA contract review that may be essential to the FDIC\xe2\x80\x99s mission had been awarded without\nan emergency preparedness clause. Also, the FDIC has not established procedures to ensure that\nkey subcontractors on the FDIC\xe2\x80\x99s essential contracts are prepared to provide essential services in\nan emergency. As a result, essential contractors and subcontractors may not be routinely\nidentified as part of the procurement process for purposes of business continuity planning\nactivities, and the scope of their emergency responsibilities may not be well defined.\n\nContracting Procedures for Essential Services\n\nDuring 2005, SEPS and DIT determined that eight contracts were essential for business\ncontinuity. Because DOA had not established a procedure for evaluating whether contracts were\nessential for business continuity when originally awarded, these contracts did not include an\n\n\n\n                                                   7\n\x0cemergency preparedness clause. Instead, partly in response to an FDIC OIG report, FDIC\xe2\x80\x99s\nBusiness Continuity Plan (Report No. 04-029, dated August 9, 2004), SEPS and DIT determined\nwhich contracts were essential and then modified those contracts to include an emergency\npreparedness clause as follows.\n\n       If, at any time during the performance of this contract, the FDIC requires services\n       essential or critical to its mission due to an actual or threatened emergency situation as\n       declared by the federal, state, or local authority, the contractor shall provide all resources\n       necessary to support these services. If an actual or threatened emergency exists, the\n       contractor shall take immediate and effective measures to ensure the availability or use of\n       back-up or redundant services to support the emergency situation without any disruption.\n       Any needed back-up or redundant services shall be provided for as long as the actual or\n       threatened emergency situation exists.\n\n       Any costs associated with providing back-up or redundant services shall be reimbursed at\n       the previously negotiated labor rates. After receipt of the FDIC\xe2\x80\x99s notification requiring\n       services essential or critical to its mission, the contractor shall submit an equitable\n       adjustment proposal for the back-up or redundant services. The equitable adjustment\n       proposal shall include, as a minimum, a breakdown of the labor categories involved, the\n       total estimated hours for each labor category, the negotiated labor rate, and the total\n       cost/price.\n\nThe APM does not require the routine identification of essential contracts. Therefore, new\ncontracts may not include emergency preparedness requirements. For example, DIT\xe2\x80\x99s\nInformation Technology Applications Systems (ITAS) contract, which totals $554.8 million for\nIT systems development and maintenance, was not awarded until after the 2005 identification\nprocess had been completed and was not modified to include the emergency preparedness clause.\n\nWhile SEPS and DIT personnel plan to include questions about essential contracts in their future\nBIA interviews, the BIA was not conducted during 2006 because of the FDIC\xe2\x80\x99s move to Virginia\nSquare. As of February 1, 2007, the ITAS contract had been in effect for 19 months without an\nemergency preparedness clause.\n\nThe ITAS contract is a multi-vendor contract with 4 contractors and 18 current task orders.\nAccording to DIT, some of the task orders provide essential support to DIT and should include\nthe emergency preparedness clauses. If FDIC contracting procedures had required that program\nofficials include emergency preparedness clauses in contracts and task orders that provide\nessential support, program officials would be on notice of such a requirement and could have\ntaken the steps necessary to ensure that the contractors were prepared to provide such critical\nservices for FDIC\xe2\x80\x99s IT systems. The FDIC\xe2\x80\x99s ability to maintain critical operations during an\nemergency could be improved by ensuring that all essential contracts include the appropriate\nemergency preparedness/business continuity clauses. This can be accomplished by including\nemergency preparedness provisions in the Statement of Work for essential contracts as part of\nthe solicitation process for contractor proposals.\n\n\n\n\n                                                 8\n\x0cContracting Procedures for Subcontractors\n\nThe FDIC has not established procedures or taken action to ensure that key subcontracts for the\nFDIC\xe2\x80\x99s essential contracts include emergency preparedness clauses. As discussed earlier, the\nFDIC has identified eight contracts that are considered essential to maintain the FDIC\xe2\x80\x99s critical\nfunctions in the event of an emergency or business continuity scenario. Two of these eight\ncontracts are critical to the FDIC\xe2\x80\x99s IT systems and have multiple subcontractors. The FDIC has\nnot required the prime contractors to ensure that subcontracts for work on essential FDIC\ncontracts have emergency preparedness requirements. Therefore, the FDIC does not have full\nassurance that the prime contractor will be able to perform in cases where subcontractors provide\ncritical support to essential prime contractors.\n\nThe following examples illustrate the need for consideration of subcontractor emergency\npreparedness requirements. DIT has an Interagency Agreement with the General Services\nAdministration (GSA), through which a task order, the Infrastructure Services Contract (ISC)\nwas awarded to SRA International, Inc. (SRA). This contract was awarded in September 2004\nand was modified in May 2006 to include the emergency preparedness clause that had been\nadded to the FDIC contracts that had previously been identified as being essential for business\ncontinuity. The SRA contract has an expenditure ceiling totaling $341 million and includes\nservices provided by three SRA subcontractors. Subcontracted services included work for\nhelpdesk and client support, mainframe operations, and telecommunications support services that\nmay be essential for business continuity. In addition, SRA used some short-term labor contracts\nrelated to IT security and mainframe support. However, according to the DIT\xe2\x80\x99s Oversight\nManager for the contract, none of the SRA\xe2\x80\x99s subcontracts had been amended to include the\nemergency preparedness clause when the overall contract was modified in 2006.\n\nAlso, as previously discussed, DIT\xe2\x80\x99s ITAS contract does not contain the emergency preparedness\nclause, and it is a multi-vendor contract with 4 contractors and 18 current task orders. As a result\nof our audit work, the DIT Oversight Manager advised us that he was going to request that ASB\nmodify the ITAS contract to include the emergency preparedness clause. However, the FDIC\ndoes not have a policy or procedures for ensuring that the prime contractors include the clause in\ntheir subcontracts or to provide for other arrangements to ensure that subcontractors fulfill their\nresponsibilities in providing services. Because the SRA and the ITAS contractors have not\nincluded the emergency preparedness clause in their essential subcontracts, the FDIC\xe2\x80\x99s ability to\nfully provide services in an emergency may be compromised.\n\nRecommendation\n\n(2) We recommend that the Director, DOA, amend the procedures in the Acquisition Policy\n    Manual, or other procedures as appropriate, to require that Statements of Work for contracts\n    and task orders under contracts contain:\n\n    \xe2\x80\xa2 business continuity requirements if contracted services are deemed essential in the event\n      of an emergency or business continuity event,\n\n\n\n\n                                                 9\n\x0c    \xe2\x80\xa2 requirements that essential contractors include emergency preparedness and business\n      continuity provisions in essential subcontracts.\n\nBCP PROCEDURES FOR CONTRACTOR TESTING, TRAINING, AND EXERCISES\n\nThe FDIC has not established procedures requiring essential contractors to provide the FDIC\nwith evidence of their emergency plans for FDIC critical business functions or for participation\nin the FDIC\xe2\x80\x99s BCP testing, training, and exercises. According to SEPS, ASB, and Legal\nDivision personnel, the FDIC\xe2\x80\x99s practices for ensuring that essential contractors provide services\nin an emergency are limited to the inclusion of an emergency preparedness clause in the contract.\nThis clause is intended to put contractors on notice that the services they provide are critical to\nthe FDIC\xe2\x80\x99s mission and that the FDIC would require the continuation or expansion of these\nservices in an emergency. However, without verifying contractors\xe2\x80\x99 emergency plans for FDIC\ncritical functions and including contractors in FDIC BCP testing, training and exercises, the\nFDIC does not have adequate assurance that essential contractors will be able to provide the\nFDIC the service coverage that may be required during a business continuity scenario.\n\nTesting, Training, and Exercises\n\nFDIC Circular 1500.5 requires that the Assistant Director, SEPS, coordinate and facilitate\nemergency preparedness training and exercise events. Specifically, the circular requires that the\nAssistant Director develop strategies for maintaining a viable emergency response capability that\nincludes training and exercise activities and milestones, coordinating with senior FDIC\nmanagement on these activities, and identifying and resolving resulting issues and concerns. The\ncircular also refers to testing with respect to the use of recall rosters. Since the FDIC relies\nextensively on essential contractors, contractor support is a key component of the FDIC\xe2\x80\x99s\nemergency response capability.\n\nIn addition to reviewing the requirements of FDIC Circular 1500.5, we reviewed the best\npractices for financial institutions described in the FFIEC Business Continuity Planning, IT\nHandbook. The FFIEC recommends that financial institutions obtain a copy of vendors\xe2\x80\x99 BCPs\nand incorporate them into their business continuity plans. The FFIEC also recommends that\ncontracts address the service providers\xe2\x80\x99 responsibilities for maintenance and testing of disaster\nrecovery and contingency plans and that, if possible, respective institutions should consider\nparticipating in their service providers\xe2\x80\x99 testing process. While the FDIC is not required to follow\nthe FFIEC guidance, industry best practices recommend that essential contracts be identified and\ntheir business continuity plans be tested to ensure the continuity of operations.\n\nAlthough the FDIC has conducted business continuity exercises to test the FDIC\xe2\x80\x99s BCPs, the\nFDIC has not included contractors\xe2\x80\x99 business continuity activities in any of these events. Further,\nthe FDIC does not have policies and procedures in its APM to address contractors\xe2\x80\x99 emergency\nplanning and the verification of the contractors\xe2\x80\x99 operational capacities through testing, training,\nand exercises to determine whether the contractors have the ability to provide services expected\nby the FDIC in the event of an emergency.\n\n\n\n\n                                                10\n\x0cFor most of the contracts identified as essential, DOA has submitted an emergency preparedness\nclause to the contractor for concurrence and inclusion in a contract modification. Nevertheless,\nwith the exception of one essential contract related to the FDIC\xe2\x80\x99s Call Center,8 the FDIC has not\nrequested that the other essential contractors provide their emergency plans for FDIC review or\nrequired that essential contractors affirm that their organization has a business continuity or\nemergency preparedness plan. The one contract that does require the contractor to provide its\nemergency plan resulted from the initiative of the individual contract manager and not in\nresponse to FDIC\xe2\x80\x99s policies or procedures.\n\nAccording to SEPS and Legal Division personnel, including contractors in emergency\npreparedness testing, training, and exercises has not been discussed or recommended to FDIC\nsenior management. Also, Circular 1500.5 does not specifically refer to including contractors in\nthese activities. However, as part of fulfilling its overall responsibilities for testing, training, and\nexercises of business continuity planning, the FDIC could more fully consider its reliance on\nessential contractors and the need to assess their capabilities, including those of their essential\nsubcontractors, to respond in the event of an emergency. Doing so will help ensure available\nemergency response capability.\n\nRecommendation\n\n(3)       We recommend that the Director, DOA, amend:\n\n          \xe2\x80\xa2   procedures in the Acquisition Policy Manual, or other procedures as appropriate, to\n              provide that Statements of Work for essential contracts and task orders ensure that\n              contractors have emergency plans for providing services to the FDIC in the event of a\n              disruption of normal operations and participate in the FDIC\xe2\x80\x99s business continuity\n              testing, training, and exercises.\n\n          \xe2\x80\xa2   Circular 1500.5, FDIC\xe2\x80\x99s Emergency Preparedness Program, to include essential\n              contractors in FDIC\xe2\x80\x99s BCP planning and testing, training, and exercises.\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nThe Director, DOA, provided a written response, dated March 30, 2007, to a draft of this report.\nDOA\xe2\x80\x99s response is presented in its entirety in Appendix II. DOA concurred with each of the\nthree recommendations and has taken the following corrective actions:\n\n      \xe2\x80\xa2   revised the BIA questionnaire for immediate use. The questionnaire includes the\n          identification of critical contractor/subcontractor staff and whether they have an\n          Emergency Plan which can be incorporated into the FDIC Business Continuity Plan.\n\n      \xe2\x80\xa2   updated the Requirements Package Checklist in the APM to include the requirement that\n          any Statement of Work for essential services contain business continuity requirements as\n          well as emergency preparedness and business continuity provisions in essential\n8\n  The FDIC Call Center is the primary telephone point of contact for the banking industry and the general public. It\nis critical to the FDIC\xe2\x80\x99s mission because it assists in maintaining public confidence in the nation\xe2\x80\x99s financial system.\n\n\n\n                                                          11\n\x0c        subcontracts. Additionally, the checklist was updated to require that essential\n        contractors participate in the FDIC\xe2\x80\x99s business continuity planning, testing, training, and\n        exercises.\n\n    \xe2\x80\xa2   revised Circular 1500.5, entitled FDIC\xe2\x80\x99s Emergency Preparedness Program to include\n        essential contractors in FDIC\xe2\x80\x99s BCP planning, testing, training, and exercises.\n\nDOA\xe2\x80\x99s actions effectively address the recommendations, and we consider all the\nrecommendations closed. Appendix III presents a summary of DOA\xe2\x80\x99s responses to our\nrecommendations and the corrective actions taken.\n\n\n\n\n                                                12\n\x0c                                                                                 APPENDIX I\n\n\n\n                      OBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to determine whether the FDIC has planned for essential contract services to\nbe provided in the event of an emergency that requires the implementation of the BCP. Our\nscope was limited to the contracts identified by SEPS and the DIT Security Section as essential\nfor business continuity and that are included in the FDIC\xe2\x80\x99s Headquarters BCP as of December 1,\n2006. We conducted the audit from November 2006 through January 2007 in accordance with\ngenerally accepted government auditing standards.\n\nTo accomplish our objective, our methodology included reviewing the following documents:\n\n\xe2\x80\xa2   FDIC Circular 1500.5, FDIC Emergency Preparedness Program, dated December 28, 2004,\n    and the revised Circular 1500.5, dated January 30, 2007. (The provisions outlined in this\n    circular serve as the official policy for FDIC Headquarters and regional offices in\n    developing, implementing, and maintaining a BCP.)\n\xe2\x80\xa2   FEMA FPC 65 Federal Executive Branch Continuity of Operations.\n\xe2\x80\xa2   GSA\xe2\x80\x99s Occupant Emergency Program Guide.\n\xe2\x80\xa2   National Institute of Standards and Technology (NIST), U.S. Department of Commerce,\n     Contingency Planning Guide for Information Technology Systems.\n\xe2\x80\xa2   FFIEC\xe2\x80\x99s Business Continuity Planning IT Examination Handbook, issued March 2003.\n\xe2\x80\xa2   Certified Information Systems Auditor Review Manual 2006, Business Continuity and\n    Disaster Recovery.\n\xe2\x80\xa2   Appendix III to the U.S. Office of Management and Budget Circular No. A-130, Security of\n    Federal Automated Information Resources.\n\xe2\x80\xa2   FDIC\xe2\x80\x99s Procedure for Conducting a Business Impact Analysis, dated November 19, 2003.\n\xe2\x80\xa2   FDIC OIG\xe2\x80\x99s Evaluation Report, Number 04-029 entitled, FDIC\xe2\x80\x99s Business Continuity Plan,\n    dated August 9, 2004; and FDIC OIG\xe2\x80\x99s Evaluation Report, Number 03-042 entitled, Business\n    Continuity Planning at FDIC-Supervised Institutions, dated September 25, 2003.\n\nTo identify FDIC procedures and practices for contract planning and management for business\ncontinuity, we obtained information from the following FDIC officials:\n\n\xe2\x80\xa2   Assistant Director, Security and Emergency Preparedness Section, DOA\n\xe2\x80\xa2   Chief, Transportation and Emergency Response Unit, DOA\n\xe2\x80\xa2   Assistant Director, IT Contracting Section, DOA\n\xe2\x80\xa2   Assistant Director, ASB, DOA\n\xe2\x80\xa2   Procurement Analyst, ASB, DOA\n\xe2\x80\xa2   Contract Oversight Manager, DIT\n\xe2\x80\xa2   Chief Oversight Support Section, DIT\n\xe2\x80\xa2   Supervisory IT Specialist, Security Section, DIT\n\xe2\x80\xa2   Senior IT Specialist, Security Section, DIT\n\xe2\x80\xa2   Senior Counsel, Legal Division\n\nOur methodology did not include a review of the FDIC\xe2\x80\x99s BCP, which was being revised during\nour audit.\n\n\n\n                                              13\n\x0c                                                                                   APPENDIX I\n\n\n\nInternal Management Controls\n\nWe evaluated the effectiveness of controls in place for identifying essential contracts for\nbusiness continuity and ensuring emergency preparedness clauses had been included in contracts\ndeemed essential for business continuity. These controls included the policies and procedures\nfor conducting a BIA and BCP. In the absence of written policies, we relied on interviews and\ninformation obtained from the Assistant Director, SEPS, who is responsible for the FDIC\xe2\x80\x99s BCP,\nand other DOA and DIT officials.\n\nCompliance With Laws and Regulations\n\nWe coordinated reviews of laws, directives, and plans with the OIG\xe2\x80\x99s Office of Counsel to\ndetermine applicability to the FDIC and to gain an understanding of applicable laws and\nregulations. We found no instances where the FDIC was not in compliance with applicable laws\nand regulations.\n\nGovernment Performance and Results Act, Computer-Processed Data, and Fraud or\nIllegal Acts\n\nWe reviewed DOA\xe2\x80\x99s performance measures under the Government Performance and Results\nAct, Public Law 103-62 (GPRA). We reviewed the FDIC\xe2\x80\x99s 2006 Annual Performance Plan and\nthe FDIC\xe2\x80\x99s Strategic Plan for 2005-2010 to determine whether the FDIC has established goals\nrelated to contract planning and management for business continuity. Neither plan includes\ngoals, objectives, or indicators specifically related to the subject of our audit.\n\nWe did not rely on computer-processed data to support our significant conclusions, findings, and\nrecommendations, and, as a result, did not perform work to determine the reliability of such data.\n\nOur audit program included steps for providing reasonable assurance of detecting fraud or illegal\nacts, and none came to our attention.\n\n\n\n\n                                               14\n\x0c\x0c     APPENDIX II\n\n\n\n\n16\n\x0c     APPENDIX II\n\n\n\n\n17\n\x0c                                                                                               APPENDIX III\n\n\n\n                      MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\nThis table presents the management response on the recommendations in our report and the\nstatus of the recommendations as of the date of report issuance.\n\n                                                                                                        Open\nRec.                                                  Completion       Monetary Resolved: a               or\nNo.           Corrective Action Taken                 Date             Benefits Yes or No               Closed\n  1           Revised the BIA questionnaire to        March 13, 2007       N/A        Yes              Closed\n              include identification of critical\n              contractor/subcontractor staff and\n              whether they have an Emergency\n              Plan which can be incorporated into\n              the FDIC BCP.\n      2       Updated the Requirements Package        March 21, 2007       N/A        Yes              Closed\n              Checklist in the APM to require\n              that any Statement of Work for\n              essential services contain business\n              continuity provisions as well as\n              emergency and business continuity\n              provisions in essential subcontracts.\n      3       Updated the Requirements Package        March 21, 2007       N/A        Yes              Closed\n              Checklist in the APM to require\n              that any Statement of Work for\n              essential services contain\n              requirements for the contractor to\n              have emergency plans for providing\n              services to the FDIC in the event of\n              a disruption of normal operations\n              and to participate in the FDIC\xe2\x80\x99s\n              business continuity planning,\n              testing, training, and exercises.\n\n              Revised Circular 1500.5 to include      March 13, 2007       N/A        Yes              Closed\n              essential contractors in FDIC\xe2\x80\x99s\n              BCP planning, testing, training, and\n              exercises.\na\n    Resolved-(1) Management concurs with the recommendation, and the planned corrective action is consistent\n                 with the recommendation.\n             (2) Management does not concur with the recommendation, but planned alternative action is\n                 acceptable to the OIG.\n            (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount.\n                 Monetary benefits are considered resolved as long as management provides an amount.\nb\n Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the\nrecommendation can be closed.\n\n\n\n\n                                                           18\n\x0c'